The coin ipping selector for selective encryption

Some applications require high-speed encryption even at the expense of reduced security. With a xed secure, but slow cryptographic algorithm, there still is an appealing possibility for encryption speedup by encrypting only some portion of data. In this paper we analyze the ciphertext security obtained this way. We show that it is not possible to exclude from encryption even a small constant fraction of data without signi cantly compromising security. 1 Motivation, assumptions, goals Volume of data is nowadays bigger than ever. Multimedia are a typical example. Fast real-time on-demand encryption of multiple multimedia streams requires specialized powerful hardware. It is sometimes not possible (or economical) to use powerful enough hardware solution. Then we can replace the encryption algorithm with a faster although maybe less secure one. Another possibility is to use selective encryption with the original secure algorithm. In this case we encrypt only some fraction of plaintext. Let p denote the fraction of encrypted plaintext. The parameter p ranges between 0 (no encryption) and 1 (full encryption) and is used to control the balance between the encryption speedup and the security. For example, selective encryption is used for online encryption of MPEG video [1]. In this case, the knowledge of the internal data structure is exploited in order to encrypt only DC coe cients and sign bits of motion vectors. Similar techniques are also used for pictures [2]. For overview of selective encryption methods see [3]. Security of these algorithms is not formally proved. We formally analyze security of selective encryption in this paper. As we are interested in a general case, we make no assumptions on the internal data structure or on statistical properties of the plaintext. We originally hoped that it could be possible to selectively encrypt portion of plaintext while maintaining reasonable security. However, we show that this ? Supported by VEGA grant No. 1/3106/06. does not work. Since we prove a negative result, it is only better if assumptions are more disadvantageous for the attacker than in practical usage: 1. One-time pad is used as the encrypting algorithm. One-time pad is the rst and only encryption algorithm for which there is a proof of perfect secrecy if the key is truly random, never reused, and kept secret. We choose this cipher to abstract from eventual weaknesses of the actual cipher which can be exploited by attacker. Theoretical results obtained this way can be used in practice as upper bounds for security of any other selected encryption algorithm. 2. Attacker can manage no more than ciphertext-only attack. The attacker is assumed to have access only to a ciphertext and full description of selective encryption algorithm. This means that the attacker knows the enciphering algorithm and also the method of bit selection for enciphering. 3. Attack is peformed using brute force. Key space is searched from the most probable key to the least probable key omitting impossible keys to minimize the attacker's work. We assume that the selection algorithm chooses bits for encrypting independently from plaintext content (besides its length). In general it cannot be expected that a better attack is possible. However in actual situation speci c properties of plaintext can lead to a more e cient attack. 4. Attack complexity measure is de ned as a fraction of key space that attacker has to search in average to nd the key. Attacker tries every possible key until he nds one that deciphers to the desired plaintext. We ignore the complexity of verifying whether deciphered plaintext is the original one. For selective encryption with p = 1 (one-time pad), the expected attack complexity is 1/2. For selective encryption with p = 0 expected complexity is 0. We 1 E.g. high redundancy of plaintext poses an even greater risk for selective encryption then for full text encryption. consider every cipher for which attack complexity approaches 0 as plaintext length goes to +∞ insecure. We assume that encrypting p percent of plaintext bits with selective encryption reduces sender's work to p percent omitting overhead necessary for selecting those bits. In this situation we will be satis ed with (and accept this as reasonable degradation of security) reduction of attack complexity from 1/2 to p/2, because this means that attacker's work is in average also reduced to p percent but no more.